ElasticSearch RCE (CVE-2015-1427) & JettyLeak
10 views
Skip to first unread message
mex
Mar 10, 2015, 6:18:57 AM3/10/15
to naxsi-discuss
there had been some buzz about the latest
elasticsearch-rce-vuln recently, but all exploits i've seen
so far are getting blocked if you run the cnyxsi_core.rules
wirth high XSS/SQL-scores due to many brackets, quotes
and backslashes.
there exists a signature in the doxi-rules that was designed to detect
such kinds
of attacks against java-based applications but doesnt works as expected, since
the malicious string is not detected within the body; not sure if bug
or feature.
MainRule "str:java.lang." "msg:Possible Java.Lang - Injection
(URL-Args & POST-Body)" "mz:BODY|ARGS" "s:$UWA:8" id:42000348 ;
sig: http://spike.nginx-goodies.com/rules/view/42000348
about the vuln:
http://www.reddit.com/r/netsec/comments/2ycwni/remote_code_execution_in_elasticsearch_cve20151427/
the POC: https://github.com/XiphosResearch/exploits/tree/master/ElasticSearch
-------------------------------------------
on JettyLeak: who runs Jetty behind nginx is safe, since nginx itself
blocks any request as malicious, so no naxsi-sig needed.
apachy btw happily forwards the mailicious request.
more info: https://8ack.de/news-der-woche/1425115452
cheers,
mex
elasticsearch-rce-vuln recently, but all exploits i've seen
so far are getting blocked if you run the cnyxsi_core.rules
wirth high XSS/SQL-scores due to many brackets, quotes
and backslashes.
there exists a signature in the doxi-rules that was designed to detect
such kinds
of attacks against java-based applications but doesnt works as expected, since
the malicious string is not detected within the body; not sure if bug
or feature.
MainRule "str:java.lang." "msg:Possible Java.Lang - Injection
(URL-Args & POST-Body)" "mz:BODY|ARGS" "s:$UWA:8" id:42000348 ;
sig: http://spike.nginx-goodies.com/rules/view/42000348
about the vuln:
http://www.reddit.com/r/netsec/comments/2ycwni/remote_code_execution_in_elasticsearch_cve20151427/
the POC: https://github.com/XiphosResearch/exploits/tree/master/ElasticSearch
-------------------------------------------
on JettyLeak: who runs Jetty behind nginx is safe, since nginx itself
blocks any request as malicious, so no naxsi-sig needed.
apachy btw happily forwards the mailicious request.
more info: https://8ack.de/news-der-woche/1425115452
cheers,
mex
Reply all
Reply to author
Forward
0 new messages